Testout Security Plus Labsim 5

5.5.4 Configure a Perimeter Firewall You work as the IT security administrator for a small corporate network. You recently placed a web server in the DMZ. You need to configure the perimeter firewall on the network security appliance to allow access to the web server from the LAN and from the WAN. You would also like to improve security by utilizing the attack security features provided by the firewall. In this lab, your task is to perform the following: • Add an HTTP firewall rule that allows traffic from the WAN to the web server in the DMZ. • Add an HTTPS firewall rule that allows traffic from the WAN to the web server in the DMZ. Use the following table for the HTTP and HTTPS rules: Parameter Setting From Zone UNSECURE (WAN) To Zone DMZ Service HTTP, HTTPS Action Allow Always Source Hosts Any Internal IP Address 172.16.2.100 External IP Address Dedicated WAN • Add a firewall rule to allow traffic from the LAN to the DMZ. Parameter Setting From Zone SECURE (LAN) To Zone DMZ Service Any Action Allow Always Source Hosts Any Destination Hosts Any • Enable all the firewall attack checks.

Task Summary Add an HTTP firewall rule that allows traffic from the WAN to the web server in the DMZ Hide Details From Zone: UNSECURE (WAN) To Zone: DMZ Service: HTTP Action: Allow Always Source Hosts: Any Internal IP Address: 172.16.2.100 External IP Address: Dedicated WAN Add an HTTPS firewall rule that allows traffic from the WAN to the web server in the DMZ Hide Details From Zone: UNSECURE (WAN) To Zone: DMZ Service: HTTPS Action: Allow Always Source Hosts: Any Internal IP Address: 172.16.2.100 External IP Address: Dedicated WAN Add a firewall rule to allow traffic from the LAN to the DMZ Hide Details From Zone: SECURE (LAN) To Zone: DMZ Service: Any Action: Allow Always Enable WAN security checks Hide Details Block Ping to WAN interface Enable Stealth Mode Block TCP Flood Enable LAN security checks Hide Details Block UDP Flood Enable ICSA settings Hide Details Block ICMP Notification Block Fragmented Packets Block Multicast Packets Explanation In this lab, you complete the following: • Add an HTTP firewall rule that allows traffic from the WAN to the web server in the DMZ. • Add an HTTPS firewall rule that allows traffic from the WAN to the web server in the DMZ. Use the following table for the HTTP and HTTPS rules: Parameter Setting From Zone UNSECURE (WAN) To Zone DMZ Service HTTP, HTTPS Action Allow Always Source Hosts Any Internal IP Address 172.16.2.100 External IP Address Dedicated WAN • Add a firewall rule to allow traffic from the LAN to the DMZ. Parameter Setting From Zone SECURE (LAN) To Zone DMZ Service Any Action Allow Always Source Hosts Any Destination Hosts Any • Enable all the firewall attack checks. Complete this lab as follows: 1. Configure the firewall as follows: a. In the Security Appliance Configuration Utility, select Firewall. b. From the left pane, select IPv4 Rules. c. In the right pane, select Add. d. Modify the firewall rule parameters; then click Apply. e. Repeat steps 1c-1d for each firewall rule. 2. Enable firewall attack checks as follows: a. From the left pane, select Attacks. b. Select all the WAN security checks. c. Select all the LAN security checks. d. Select all the ICSA settings; then click Apply.

5.12.5 Harden a Wireless Network You are a network technician for a small corporate network. You need to increase the security of your wireless network. Your new wireless controller provides several security features that you would like to implement. Access the Wireless Controller console through Internet Explorer on http://192.168.0.6 with the username admin and the password password. In this lab, your task is to perform the following: • Change the admin username and password for the Zone Director controller to the following: o Admin Name: WxAdmin o Password: ZDAdminsOnly!$ (O is the capital letter O) • Set up MAC address filtering (L2 Access Control) to create a whitelist called Allowed Devices that includes the following wireless devices: o 00:18:DE:01:34:67 o 00:18:DE:22:55:99 o 00:02:2D:23:56:89 o 00:02:2D:44:66:88 • Implement a device access policy called NoGames that blocks gaming consoles from the wireless network.

Task Summary Change admin username and password Hide Details Admin name: WxAdmin Password: ZDAdminsOnly!$ Enable MAC address filtering Hide Details ACL name: Allowed Devices Allowed Device: 00:02:2D:23:56:89 Allowed Device: 00:02:2D:44:66:88 Allowed Device: 00:18:DE:01:34:67 Allowed Device: 00:18:DE:22:55:99 Configure access controls Hide Details Device access policy name: NoGames Deny OS type: Gaming Explanation Configure the security features on your wireless controller as follows: 1. Change the admin username and password as follows: a. From the taskbar, open Internet Explorer. b. Maximize Internet Explorer. c. Type 192.168.0.6 and press Enter. d. Enter the username. e. Enter the password. f. Select Login. g. From the top, select the Administer tab. h. Make sure Authenticate using the admin name and password is selected. i. In the Admin Name field, enter the new username. j. In the Current Password field, enter the current password. k. In the New Password field, enter the new password. l. In the Confirm New Password field, enter the new password. m. On the right, select Apply. 2. Enable MAC address filtering as follows: a. From the top, select the Configure tab. b. From the left menu, select Access Control. c. Expand L2-L7 Access Control. d. Under L2/MAC address Access Control, select Create New. e. In the Name field, enter Allowed Devices. f. Under Restriction, make sure Only allow all stations listed below is selected. g. Enter a MAC address. h. Select Create New. i. Repeat step 2g-2h for each MAC address you would like to add to the ACL. j. Click OK. 3. Configure access controls as follows: a. In Access Control, expand Device Access Policy. b. Select Create New. c. In the Name field, enter NoGames. d. Select Create New. e. In the Description field, enter Games. f. In the OS/Type drop-down list, select Gaming. g. In the Type field, select Deny. h. Under Uplink, make sure Disabled is selected. i. Under Downlink, make sure Disabled is selected. j. Click Save. k. Click OK.

5.11.5 Configure Rogue Host Protection You are a network technician for a small corporate network. You would like to take advantage of the self healing features provided by the small enterprise wireless solution you have implemented. You are already logged in as WxAdmin on the Wireless Controller console from ITAdmin. In this lab, your task is to perform the following: • Configure self healing on the wireless network. o Automatically adjust AP radio power to optimize coverage when interference is present. o Set 2.4GHz and 5GHz radio channels to use the Background Scanning method to adjust for interference. • Configure the background scanning needed for rogue device detection, AP locationing, and self healing. Background scans should be performed on all radios every 30 seconds. • Configure load balancing for all radios by adjusting the threshold to 40dB. • Configure band balancing to allow no more than 30% of clients to use the 2.4GHz radios. • Reduce the power levels to -3dB for three access points in Building A to reduce RF emanations. Use the wireless survey results in the exhibit to identify the access points. The amount to reduce TX Power by is a judgment call based on the wireless survey results. In practice, you would repeat the wireless survey to verify the proper TX Power settings.

Task Summary Configure Self Healing Hide Details Automatically adjust AP radio power Use Background Scanning on 2.4GHz channels Use Background Scanning on 5GHz channels Configure Background Scanning Hide Details Run a background scan every 30 seconds on the 2.4GHz radio Run a background scan every 30 seconds on the 2.4GHz radio Configure Load Balancing Hide Details Run load balancing on the 2.4GHz radio with a 40dB threshold Run load balancing on the 5GHz radio with a 40dB threshold Configure Band Balancing for 30% on 2.4GHz Adjust the AP Power Level Hide Details Reduce 2.4GHz Radio Transmit power in Center AP by 1 to 3db Reduce 5GHz Radio Transmit power in Center AP by 1 to 3db Reduce 2.4GHz Radio Transmit power in East AP by 1 to 3db Reduce 5GHz Radio Transmit power in East AP by 1 to 3db Reduce 2.4GHz Radio Transmit power in West AP by 1 to 3db Reduce 5GHz Radio Transmit power in West AP by 1 to 3db Explanation In this lab, you perform the following: • Configure self healing on the wireless network. o Automatically adjust AP radio power to optimize coverage when interference is present. o Set 2.4GHz and 5GHz radio channels to use the Background Scanning method to adjust for interference. • Configure background scanning necessary for rogue device detection, AP locationing, and self healing. Background scans should be performed on all radios every 30 seconds. • Configure load balancing for all radios by adjusting the threshold to 40dB. • Configure band balancing to allow no more than 30% of clients to use the 2.4GHz radios. • Reduce the power levels to -3dB for three access points in Building A to reduce RF emanations. Use the wireless survey results in the exhibit to identify the access points. Configure your wireless access points as follows: 1. Configure Self Healing as follows: a. From the top, select the Configure tab. b. From the left menu, select Services. c. Select Automatically adjust AP radio power to optimize coverage when interference is present. d. Under Automatically adjust 2.4GHz channels using, select Background Scanning from the drop-down menu. e. Under Automatically adjust 5GHz channels using, select Background Scanning from the drop-down menu. f. On the right, click Apply. 2. Configure Background Scanning as follows: o Select Run a background scan on 2.4GHz radio. o Enter 30 seconds. o Select Run a background scan on 5GHz radio. o Enter 30 seconds. o On the right, click Apply. 3. Configure Load Balancing as follows: o Select Run load balancing on 2.4GHz radio. o In the Adjacent radio threshold(dB) field, enter 40. o Select Run load balancing on 5GHz radio. o In the Adjacent radio threshold(dB) field, enter 40. o On the right, select Apply. 4. Configure Band Balancing as follows: . Select Percent of clients on 2.4GHz radio. a. Enter the percentage. b. On the right, click Apply. 5. Adjust the AP Power Level as follows: . From the left menu, select Access Points. a. From the top right, select Exhibit to determine which access points to adjust. b. Select Edit next to the access point to be modified. c. Under Radio B/G/N(2.4G) next to TX Power, make sure Override Group Config is selected. d. From the TX Power drop-down list, select -3dB (1/2). e. Under Radio A/N/AC(5G) next to TX Power, make sure Override Group Config is selected. f. From the TX Power drop-down list, select -3dB (1/2). g. Click OK. h. Repeat steps 6b - 6f for additional access points.

5.4.3 Configure a DMZ You are the IT administrator for a small corporate network. Recently, you added a web server that runs services that need to be accessible from the internet. You need to place this server in a DMZ and configure the DMZ settings on the network security appliance (NSA). In this lab, your task is to perform the following: • Connect the left port of the CorpDMZWeb server to the Optional port on the NSA. • Configure the Optional port on the NSA for DMZ mode from the IT administrator's workstation. o NSA management console address: http://198.28.56.18 o Username: xAdmin o Password: Admin$0nly (0 is zero) • Configure the DMZ port to act as a DHCP server with the default IP addresses. o Primary DNS server address: 163.128.78.93 o Secondary DNS server address:163.128.80.93 • Reserve the first IP address in the DMZ's DHCP address range for CorpDMZWeb. o IP address: 172.16.2.100 o MAC address: 1A:2B:C4:28:3B:9F • Configure the CorpDMZWeb server to obtain an IP address automatically. • Configure the CorpDMZWeb server to obtain a DNS address automatically. • Verify that the CorpDMZWeb server receives the reserved IP address.

Task Summary Connect the CorpDMZWeb server to the Optional port on the NSA Configure the Optional port for DMZ mode Configure the DMZ zone for DHCP Hide Details DHCP Server Mode Primary DNS: 163.128.78.93 Secondary DNS: 163.128.80.93 Configure a reserved IP address for the CorpDMZWeb server Hide Details IP Address: 172.16.2.100 Configure the DMZ server to obtain an IP and DNS address automatically Confirm that the CorpDMZWeb server is connected to the internet Explanation In this lab, your task is to perform the following: • Connect the left port of the CorpDMZWeb server to the Optional port on the NSA. • Configure the Optional port on the NSA for DMZ mode from the IT administrator's workstation. o NSA management console address: http://198.28.56.18 o Username: xAdmin o Password: Admin$0nly (0 is zero) • Configure the DMZ port to act as a DHCP server with the default IP addresses. o Primary DNS server address: 163.128.78.93 o Secondary DNS server address:163.128.80.93 • Reserve the first IP address in the DMZ's DHCP address range for CorpDMZWeb. o IP address: 172.16.2.100 o MAC address: 1A:2B:C4:28:3B:9F • Configure the CorpDMZWeb server to obtain an IP address automatically. • Configure the CorpDMZWeb server to obtain a DNS address automatically. • Verify that the CorpDMZWeb server receives the reserved IP address. Complete this lab as follows: 1. Connect the Server to the NSA as follows: a. Under Workspace, select Back to switch to the back view of the server rack. b. Expand Cables under the Shelf. c. Select the Cat5e cable. d. In the Selected Component window, click on the network cable connector and drag it to the left Ethernet port on the CorpDMZWeb server. e. In the Selected Component window, click on the other network cable connector and drag it to the Optional port on the NSA. Use the slider by Workspace to zoom in and out as needed. 2. Configure the DMZ as follows: a. From the top menu, select Building A. b. Select Floor 1 to navigate to the IT Administration office. c. Select ITAdmin. d. On the taskbar, open Internet Explorer. e. In the URL field, enter the NSA Management address of 198.28.56.18 and press Enter. f. Maximize Internet Explorer for easier viewing. g. In the Username field, enter xAdmin. h. In the Password field, enter Admin$0nly (0 is zero). i. Select Log In. j. In the left pane under Getting Started, select Advanced. k. Under DMZ Port, select Set Optional Port to DMZ Mode. l. Select DMZ. m. Click Apply. n. In the left pane, select DMZ Config. o. On the DMZ Configuration page under DHCP mode, select DHCP Server from the drop-down list. p. In the Primary DNS Server field, enter 163.128.78.93. q. In the Secondary DNS Server field, enter 163.128.80.93; then click Apply. r. In the left pane, select DMZ Reserved IPs. s. On the DMZ Reserved IPs page, select Add. t. In the IP Address field, enter 172.16.2.100. u. In the MAC Address field, enter 1A:2B:C4:28:3B:9F; then click Apply. 3. Configure DMZ Server Networking as follows: a. From the top, select Building A. b. Select Basement to navigate back to the basement. c. Select CorpDMZWeb. d. Right-click the Network icon in the navigation area and select Open Network and Sharing Center. e. Select Change adapter settings. f. Right-click Ethernet and then select Properties. g. Select Internet Protocol Version 4 (TCP/IPv4). h. Select Properties. i. Select Obtain an IP address automatically. j. Select Obtain DNS server address automatically; then click OK. k. Click Close. l. Close the Network Connections dialog. m. In the Network and Sharing Center console, select Ethernet. n. Select Details to verify that the server has received the correct IP address and DNS server addresses

5.2.8 Prevent Zone Transfers The CorpDC3 server is a domain controller in the CorpNet.com domain. The server holds an Active Directory-integrated zone for the CorpNet.com domain. You need to secure zone data and prevent anyone from copying zone data from the CorpDC3 server through zone transfer. Because all zone information is replicated automatically through Active Directory replication, you know you can disable zone transfers while still replicating data with other domain controllers. In this lab, your task is to disable zone transfers for the CorpNet.com zone.

Task Summary Disable zone transfers for the CorpNet.com zone Explanation In this lab, your task is to disable zone transfers for the CorpNet.comzone. Complete this lab as follows: 1. From Server Manager, select Tools > DNS. 2. Expand CORPDC3 > Forward Lookup Zones. 3. Right-click the zone you want to edit and select Properties. 4. Select the Zone Transfers tab. 5. Deselect Allow zone transfers. 6. Click OK.

5.8.3 Configure Web Threat Protection You work as the IT security administrator for a small corporate network. You need to enable Web Threat Protection on the network security appliance (NSA) to provide content filtering for your network. In this lab, your task is to perform the following: • Enable Web Threat Protection with High security level. • Enable URL Filtering with the following filters: Category Business Leisure Computers/ Bandwidth X Computers/ Harmful X X Adult X X • Specify business hours o Business days: Monday-Friday o Morning: 08:00-12:00 o Afternoon: 13:00-17:00

Task Summary Enable Web Threat Protection Hide Details Web Threat Protection Enabled Security level set to High Enable URL Filtering Hide Details Computers/Bandwidth during business hours Computers/Harmful during business and leisure hours Adult Content during business and leisure hours Define Business Hours Hide Details Monday through Friday Mornings from 8:00 to 12:00 Afternoons from 13:00 to 17:00 Explanation In this lab, your task is to perform the following: • Enable Web Threat Protection with High security level. • Enable URL Filtering with the following filters: Category Business Leisure Computers/ Bandwidth X Computers/ Harmful X X Adult X X • Specify business hours o Business days: Monday-Friday o Morning: 08:00-12:00 o Afternoon: 13:00-17:00 Complete this lab as follows: 1. From the top menu, select ProtectLink. 2. From the left pane, expand Web Protection. 3. Select Web Threat Protection. 4. Select Enable Web Threat Protection. 5. Select High for the security level; then click Apply. 6. From the left pane, select URL Filtering. 7. Select Enable URL Filtering. 8. For the Computers/Bandwidth category, select Business Hours. 9. For the Computers/Harmful category, select Business Hours and Leisure Hours. 10. For the Adult category, select Business Hours and Leisure Hours. 11. Under Business Days, make sure the days Monday-Friday are selected. 12. Under Business Times, select Specify Business Hours. 13. Make sure Morning is selected. 14. Verify the morning hours. 15. Make sure Afternoon is selected. 16. Modify the afternoon hours. 17. Click Apply.

5.3.7 Configure Network Security Appliance Access You work as the IT security administrator for a small corporate network. You need to secure access to your network security appliance, which is still configured with the default user settings. In this lab, your task is to perform the following: • Rename the default user account (cisco) with the following parameters: o User name: xAdmin o Password: Admin$0nly (0 = zero) o Idle timeout: 15 minutes o Set for LAN access only (no WAN access) o Allow access only from CorpServer (192.168.0.10) • Create a new administrative user with the following parameters: o User name: mbrown o First name: Mary o Last name: Brown o User type: Administrator o Password: St@y0ut! (0 = zero) o Idle timeout: 15 minutes o Set for LAN access only (no WAN access) o Allow access only from the administrator's workstation (192.168.0.21) Access the NSA management console through Internet Explorer on http://198.28.56.18. Default username: cisco. Password: cisco.

Task Summary Rename the default user Hide Details New name: xAdmin Password: Admin$0nly Idle Timeout: 15 minutes Add the mbrown user Hide Details User Name: mbrown First Name: Mary Last Name: Brown User Type: Administrator Password: St@y0ut! Idle Timeout: 15 minutes Deny login from the WAN interface Hide Details Deny WAN login for xAdmin Deny WAN login for mbrown Restrict login for xAdmin to 192.168.0.10 Restrict login for mbrown to 192.168.0.21 Explanation In this lab, your task is to perform the following: • Rename the default user account (cisco) with the following parameters: o User name: xAdmin o Password: Admin$0nly (0 = zero) o Idle timeout: 15 minutes o Set for LAN access only (no WAN access) o Allow access only from CorpServer (192.168.0.10) • Create a new administrative user with the following parameters: o User name: mbrown o First name: Mary o Last name: Brown o User type: Administrator o Password: St@y0ut! (0 = zero) o Idle timeout: 15 minutes o Set for LAN access only (no WAN access) o Allow access only from the administrator's workstation (192.168.0.21) Complete this lab as follows: 1. Select Start. 2. Select Windows Accessories. 3. Select Internet Explorer. 4. In the URL field, type 198.28.56.18 and press Enter. 5. In the Username field, enter cisco. 6. In the Password field, enter cisco to log in to the Security Appliance Configuration utility. 7. Select Log In. 8. Rename the default user account as follows: a. From the Getting Started (Basic) page, select Change Default Admin Password and Add Users. b. Select Edit for the cisco username. c. In the User Name field, enter the new username. d. Select Check to Edit Password. e. Enter the current logged in administrator password. f. Enter the new password. g. Re-enter the new password to confirm the new password. h. Enter the idle timeout; then click Apply. 9. Create a new administrative user as follows: a. Select Add to add another user. b. In the User Name field, enter the username. c. Enter the first name. d. Enter the last name. e. From the User Type drop-down list, select Administrator. f. Enter the password. g. Re-enter the password to confirm the new password. h. Enter the idle timeout; then click Apply. 10. Edit user policies as follows: a. Under Edit User Policies, select Login to configure a login policy. b. Select Deny Login from WAN Interface; then click Apply. c. Repeat steps 10a-10b for the other user. 11. Define network access as follows: a. Under Edit User Policies, select By IP to configure IP address restrictions for login. b. Select Add. c. In the Source Address Type field, make sure IP Address is selected. d. In the Network Address/IP Address field, enter the appropriate IP address; then click Apply. e. Select Allow Login only from Defined Addresses. f. Click Apply to close the dialog. g. Repeat steps 11a-11f for the other user.

5.7.5 Configure a VPN Connection iPad You work as the IT security administrator for a small corporate network. You recently set up the Remote Access VPN feature on your Network Security Appliance to provide you and your fellow administrators with secure access to your network. You are currently at home and would like to connect your iPad to the VPN. Your iPad is connected to your home wireless network. In this lab, your task is to perform the following: • Add an IPSec VPN Connection using the following values: Parameter Value Description CorpNetVPN Server 198.28.56.34 Account mbrown Secret 1a!2b@3c#4d$ • Turn on the VPN. • Verify that a connection is established. The password for mbrown is L3tM31nN0w (0 = zero).

Add and IPSec VPN Connection Hide Details Description: CorpNetVPN Server Address: 198.28.56.34 User Account: mbrown Secret: 1a!2b@3c#4d$ Turn On VPN and connect Explanation In this lab, you perform the following: • Add an IPSec VPN Connection using the following values: Parameter Value Description CorpNetVPN Server 198.28.56.34 Account mbrown Secret 1a!2b@3c#4d$ • Turn on the VPN. • Verify that a connection is established. The password for mbrown is L3tM31nN0w (0 = zero). Complete this lab as follows: 1. Select Settings. 2. Select Wi-Fi. 3. Verify that you are connected to the Home-Wireless network. 4. From the left menu, select General. 5. Select VPN. 6. Select Add VPN Configuration. 7. Select IPSec. 8. In the Description field, enter the description. 9. In the Server field, enter server IP address. 10. In the Account field, enter account admin username. 11. In the Secret field, enter the pass phrase. 12. Click Save. 13. Under VPN Configuration, set Not Connected to ON. 14. Enter L3tM31nN0w (0 = zero) as the password. 15. Click OK.

5.12.6 Configure WIPS You are a network technician for a small corporate network. You would like to enable Wireless Intrusion Prevention on the wireless controller. You are already logged in as WxAdmin on the Wireless Controller console from ITAdmin. In this lab, your task is to perform the following: • Configure the wireless controller to protect against denial of service (DOS) attacks as follows: o Protect against excessive wireless requests. o Block clients with repeated authentication failures for two minutes (120 seconds). • Configure Intrusion Detection and Prevention as follows: o Report all rogue devices regardless of type. o Protect the network from rogue access points. • Enable rogue DHCP server detection.

Task Summary Configure Denial of Service protection Hide Details Protect against excessive wireless requests Block clients with repeated authentication failures Block clients for two minutes (120 seconds) Enable Wireless Intrusion Protection Hide Details Enable Rogue Device Reporting Report all rogue devices regardless of type Protect the network from rogue access points Enable Rogue DHCP Server Detection Explanation In this lab, you perform the following tasks: • Configure the wireless controller to protect against denial of service (DOS) attacks as follows: o Protect against excessive wireless requests. o Block clients with repeated authentication failures for two minutes (120 seconds). • Configure Intrusion Detection and Prevention as follows: o Report all rogue devices regardless of type. o Protect the network from rogue access points. • Enable rogue DHCP server detection. Enable Wireless Intrusion Prevention on the wireless controller as follows: 1. Select the Configure tab. 2. From the left menu, select WIPS. 3. Configure Denial of Service protection as follows: a. Select Protect my wireless network against excessive wireless requests. b. Select Temporarily block wireless clients with repeated authentication failures. c. Enter the threshold in seconds. d. On the right, click Apply. 4. Configure Intrusion Detection and Prevention as follows: a. Select Enable report rogue devices. b. Select Report all rogue devices. c. Select Protect the network from malicious rogue access points. d. On the right, click Apply. 5. Select Enable rogue DHCP server detection; then click Apply.

5.10.7 Configure a Wireless Network You are a network technician for a small corporate network. You just installed a Ruckus zone controller and wireless access points throughout the buildings using wired connections. Now you need to configure basic wireless network settings. You can access the wireless controller console through Internet Explorer on http://192.168.0.6 using the username adminand the password password. In this lab, your task is to perform the following: • Create a WLAN using the following settings: o Name: CorpNet Wireless o ESSID: CorpNet o Type: Standard Usage o Authentication: Open o Encryption: WPA2 o Encryption Algorithm: AES o Passphrase: @CorpNetWeRSecure! • Connect the Exec-Laptop in the Executive office to the new wireless network.

Task Summary Create the CorpNet WLAN Hide Details Name: CorpNet Wireless SSID: CorpNet Type: Standard Usage Authentication: Open Encryption: WPA2 Encryption Algorithm: AES Passphrase: @CorpNetWeRSecure! Connect Exec-Laptop to the CorpNet Wireless network Explanation In this lab, your task is to perform the following: • Create a WLAN using the following settings: o Name: CorpNet Wireless o ESSID: CorpNet o Type: Standard Usage o Authentication: Open o Encryption: WPA2 o Encryption Algorithm: AES o Passphrase: @CorpNetWeRSecure! • Connect the Exec-Laptop in the Executive office to the new wireless network. Create a WLAN on the wireless controller as follows: 1. From the taskbar, open Internet Explorer. 2. In the URL field, enter 192.168.0.6 and press Enter. 3. Log in to the wireless controller console with username admin and password password. 4. Select the Configure tab. 5. From the left menu, select WLANs. 6. Under WLANs, select Create New. 7. In the Name field, enter the network name. 8. In the ESSID field, enter the ESSID for the network. 9. Under Type, make sure Standard Usage is selected. 10. Under Authentication Options, make sure Open is selected. 11. Under Encryption Options, select WPA2. 12. Under Encryption Options/Algorithm, make sure AES is selected. 13. In the Passphrase field, enter the passphrase for the network. 14. Click OK. 15. Using the location tabs at the top of the screen, select Floor 1. 16. In the Executive Office location, select Exec-Laptop. 17. In the notification area, select the wireless network icon to view the available networks. 18. Select CorpNet. 19. Select Connect. 20. Enter @CorpNetWeRSecure! for the security key; then click Next. 21. Click Yes to make the computer discoverable on the network.

5.7.4 Configure a Remote Access VPN You work as the IT security administrator for a small corporate network. Occasionally, you and your co-administrators need to access internal resources when you are away from the office. You would like to set up Remote Access VPN on your network security appliance to allow secure access. In this lab, your task is to perform the following: • Configure Remote Access VPN using the following settings: Parameter Value VPN Type Remote Access Connection Name CorpNetVPN Pre-shared Key 1a!2b@3c#4d$ Local Gateway Type IP Address Local WAN's IP Address 198.28.56.34 • Verify that the VPN Policy was created. • Verify that the IKE Policy was created. • Configure the following Standard IPSec users: User Password mbrown L3tM31nN0w jgolden L3tM31nT00 sbarnes Adm1nsR0ck

Task Summary VPN Wizard Configuration Hide Details Connection Name: CorpNetVPN Preshared Key: 1a!2b@3c#4d$ Local IP Address: 198.28.56.34 Configure IPSec users Hide Details Username: mbrown Password: L3tM31nN0w Username: jgolden Password: L3tM31nT00 Username: sbarnes Password: Adm1nsR0ck Explanation In this lab, your task is to perform the following: • Configure Remote Access VPN using the following settings: Parameter Value VPN Type Remote Access Connection Name CorpNetVPN Pre-shared Key 1a!2b@3c#4d$ Local Gateway Type IP Address Local WAN's IP Address 198.28.56.34 • Verify that the VPN Policy was created. • Verify that the IKE Policy was created. • Configure the following Standard IPSec users: User Password mbrown L3tM31nN0w jgolden L3tM31nT00 sbarnes Adm1nsR0ck Complete this lab as follows: 1. From the top menu, select VPN. 2. Under About VPN Wizard, select the VPN type. 3. Enter the connection name. 4. Enter the pre-shared key. 5. Select the local gateway type. 6. Enter the WAN's IP address; then click Apply. 7. Under List of VPN Policies, verify that the policy was created. 8. Select IKE Policies and verify that the policy was created. 9. Add new IPSec users as follows: a. Select IPSec Users. b. Select Add. c. Enter the username. d. Under Remote Peer Type, make sure Standard IPSec (XAuth) is selected. e. Enter the password. f. Re-enter the password to confirm it. g. Click Apply. h. Repeat steps 9b-9g for each user.